2017-07-05 19:03:14 +08:00
|
|
|
/*
|
|
|
|
|
|
|
|
nsjail - capability-related operations
|
|
|
|
-----------------------------------------
|
|
|
|
|
|
|
|
Copyright 2014 Google Inc. All Rights Reserved.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "caps.h"
|
|
|
|
|
2017-09-30 06:05:41 +08:00
|
|
|
#include <linux/capability.h>
|
2017-07-05 19:03:14 +08:00
|
|
|
#include <string.h>
|
|
|
|
#include <sys/prctl.h>
|
2017-09-30 06:05:41 +08:00
|
|
|
#include <sys/syscall.h>
|
2017-07-05 19:03:14 +08:00
|
|
|
#include <sys/types.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
|
2022-11-10 17:48:25 +08:00
|
|
|
#include <cerrno>
|
2018-02-11 04:19:47 +08:00
|
|
|
#include <string>
|
|
|
|
|
2018-02-11 00:49:15 +08:00
|
|
|
#include "logs.h"
|
2018-02-10 12:25:55 +08:00
|
|
|
#include "macros.h"
|
2018-02-10 01:45:50 +08:00
|
|
|
#include "util.h"
|
|
|
|
|
2023-09-17 16:48:17 +08:00
|
|
|
#if !defined(CAP_AUDIT_READ)
|
|
|
|
#define CAP_AUDICAP_AUDIT_READ 37
|
|
|
|
#endif /* !defined(CAP_AUDIT_READ) */
|
|
|
|
#if !defined(CAP_PERFMON)
|
|
|
|
#define CAP_PERFMON 38
|
|
|
|
#endif /* !defined(CAP_PERFMON) */
|
|
|
|
#if !defined(CAP_BPF)
|
|
|
|
#define CAP_BPF 39
|
|
|
|
#endif /* !defined(CAP_BPF) */
|
|
|
|
#if !defined(CAP_CHECKPOINT_RESTORE)
|
|
|
|
#define CAP_CHECKPOINT_RESTORE 40
|
|
|
|
#endif /* !defined(CAP_CHECKPOINT_RESTORE) */
|
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
namespace caps {
|
2017-07-05 19:03:14 +08:00
|
|
|
|
2018-05-22 20:27:18 +08:00
|
|
|
struct {
|
2017-10-09 05:03:02 +08:00
|
|
|
const int val;
|
|
|
|
const char* const name;
|
2018-05-22 20:27:18 +08:00
|
|
|
} static const capNames[] = {
|
2017-10-26 06:26:02 +08:00
|
|
|
NS_VALSTR_STRUCT(CAP_CHOWN),
|
|
|
|
NS_VALSTR_STRUCT(CAP_DAC_OVERRIDE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_DAC_READ_SEARCH),
|
|
|
|
NS_VALSTR_STRUCT(CAP_FOWNER),
|
|
|
|
NS_VALSTR_STRUCT(CAP_FSETID),
|
|
|
|
NS_VALSTR_STRUCT(CAP_KILL),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SETGID),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SETUID),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SETPCAP),
|
|
|
|
NS_VALSTR_STRUCT(CAP_LINUX_IMMUTABLE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_NET_BIND_SERVICE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_NET_BROADCAST),
|
|
|
|
NS_VALSTR_STRUCT(CAP_NET_ADMIN),
|
|
|
|
NS_VALSTR_STRUCT(CAP_NET_RAW),
|
|
|
|
NS_VALSTR_STRUCT(CAP_IPC_LOCK),
|
|
|
|
NS_VALSTR_STRUCT(CAP_IPC_OWNER),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_MODULE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_RAWIO),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_CHROOT),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_PTRACE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_PACCT),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_ADMIN),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_BOOT),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_NICE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_RESOURCE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_TIME),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYS_TTY_CONFIG),
|
|
|
|
NS_VALSTR_STRUCT(CAP_MKNOD),
|
|
|
|
NS_VALSTR_STRUCT(CAP_LEASE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_AUDIT_WRITE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_AUDIT_CONTROL),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SETFCAP),
|
|
|
|
NS_VALSTR_STRUCT(CAP_MAC_OVERRIDE),
|
|
|
|
NS_VALSTR_STRUCT(CAP_MAC_ADMIN),
|
|
|
|
NS_VALSTR_STRUCT(CAP_SYSLOG),
|
|
|
|
NS_VALSTR_STRUCT(CAP_WAKE_ALARM),
|
|
|
|
NS_VALSTR_STRUCT(CAP_BLOCK_SUSPEND),
|
|
|
|
NS_VALSTR_STRUCT(CAP_AUDIT_READ),
|
2021-01-27 21:37:12 +08:00
|
|
|
NS_VALSTR_STRUCT(CAP_PERFMON),
|
2023-09-17 16:48:17 +08:00
|
|
|
NS_VALSTR_STRUCT(CAP_BPF),
|
2021-01-27 21:37:12 +08:00
|
|
|
NS_VALSTR_STRUCT(CAP_CHECKPOINT_RESTORE),
|
2017-07-05 19:03:14 +08:00
|
|
|
};
|
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
int nameToVal(const char* name) {
|
2018-04-29 07:10:09 +08:00
|
|
|
for (const auto& cap : capNames) {
|
2023-10-22 00:37:57 +08:00
|
|
|
if (util::StrEq(name, cap.name)) {
|
2018-04-29 07:10:09 +08:00
|
|
|
return cap.val;
|
2017-07-05 19:03:14 +08:00
|
|
|
}
|
|
|
|
}
|
2020-07-07 20:07:22 +08:00
|
|
|
LOG_W("Unknown capability: '%s'", name);
|
2017-07-05 19:03:14 +08:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2018-02-11 04:19:47 +08:00
|
|
|
static const std::string capToStr(int val) {
|
2018-04-29 07:10:09 +08:00
|
|
|
for (const auto& cap : capNames) {
|
|
|
|
if (val == cap.val) {
|
|
|
|
return cap.name;
|
2017-07-05 19:03:14 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-04-29 07:10:09 +08:00
|
|
|
std::string res;
|
2022-09-06 23:44:55 +08:00
|
|
|
res.append("CAP_UNKNOWN(").append(std::to_string(val)).append(")");
|
2018-02-11 04:19:47 +08:00
|
|
|
return res;
|
2017-07-05 19:03:14 +08:00
|
|
|
}
|
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
static cap_user_data_t getCaps() {
|
2017-09-30 06:05:41 +08:00
|
|
|
static __thread struct __user_cap_data_struct cap_data[_LINUX_CAPABILITY_U32S_3];
|
|
|
|
const struct __user_cap_header_struct cap_hdr = {
|
2017-10-26 06:26:02 +08:00
|
|
|
.version = _LINUX_CAPABILITY_VERSION_3,
|
|
|
|
.pid = 0,
|
2017-09-30 06:05:41 +08:00
|
|
|
};
|
2019-01-22 05:37:30 +08:00
|
|
|
if (util::syscall(__NR_capget, (uintptr_t)&cap_hdr, (uintptr_t)&cap_data) == -1) {
|
2017-09-30 06:05:41 +08:00
|
|
|
PLOG_W("capget() failed");
|
2023-10-20 20:15:36 +08:00
|
|
|
return nullptr;
|
2017-07-05 19:03:14 +08:00
|
|
|
}
|
2017-09-30 06:05:41 +08:00
|
|
|
return cap_data;
|
2017-07-05 21:57:07 +08:00
|
|
|
}
|
2017-07-05 19:03:14 +08:00
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
static bool setCaps(const cap_user_data_t cap_data) {
|
2017-09-30 06:05:41 +08:00
|
|
|
const struct __user_cap_header_struct cap_hdr = {
|
2017-10-26 06:26:02 +08:00
|
|
|
.version = _LINUX_CAPABILITY_VERSION_3,
|
|
|
|
.pid = 0,
|
2017-09-30 06:05:41 +08:00
|
|
|
};
|
2019-01-22 05:37:30 +08:00
|
|
|
if (util::syscall(__NR_capset, (uintptr_t)&cap_hdr, (uintptr_t)cap_data) == -1) {
|
2017-09-30 06:05:41 +08:00
|
|
|
PLOG_W("capset() failed");
|
|
|
|
return false;
|
2017-07-05 21:57:07 +08:00
|
|
|
}
|
2017-09-30 06:05:41 +08:00
|
|
|
return true;
|
2017-07-05 21:57:07 +08:00
|
|
|
}
|
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
static void clearInheritable(cap_user_data_t cap_data) {
|
2017-09-30 06:05:41 +08:00
|
|
|
for (size_t i = 0; i < _LINUX_CAPABILITY_U32S_3; i++) {
|
|
|
|
cap_data[i].inheritable = 0U;
|
2017-07-05 21:57:07 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
static bool getPermitted(cap_user_data_t cap_data, unsigned int cap) {
|
2018-02-17 10:28:10 +08:00
|
|
|
size_t off_byte = CAP_TO_INDEX(cap);
|
|
|
|
unsigned mask = CAP_TO_MASK(cap);
|
|
|
|
return cap_data[off_byte].permitted & mask;
|
2017-07-05 21:57:07 +08:00
|
|
|
}
|
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
static bool getEffective(cap_user_data_t cap_data, unsigned int cap) {
|
2018-02-17 10:28:10 +08:00
|
|
|
size_t off_byte = CAP_TO_INDEX(cap);
|
|
|
|
unsigned mask = CAP_TO_MASK(cap);
|
|
|
|
return cap_data[off_byte].effective & mask;
|
2017-10-01 11:32:07 +08:00
|
|
|
}
|
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
static bool getInheritable(cap_user_data_t cap_data, unsigned int cap) {
|
2018-02-17 10:28:10 +08:00
|
|
|
size_t off_byte = CAP_TO_INDEX(cap);
|
|
|
|
unsigned mask = CAP_TO_MASK(cap);
|
|
|
|
return cap_data[off_byte].inheritable & mask;
|
2017-09-30 06:05:41 +08:00
|
|
|
}
|
|
|
|
|
2018-02-10 00:49:13 +08:00
|
|
|
static void setInheritable(cap_user_data_t cap_data, unsigned int cap) {
|
2018-02-17 10:28:10 +08:00
|
|
|
size_t off_byte = CAP_TO_INDEX(cap);
|
|
|
|
unsigned mask = CAP_TO_MASK(cap);
|
|
|
|
cap_data[off_byte].inheritable |= mask;
|
2017-07-05 21:57:07 +08:00
|
|
|
}
|
|
|
|
|
2017-09-30 06:36:11 +08:00
|
|
|
#if !defined(PR_CAP_AMBIENT)
|
|
|
|
#define PR_CAP_AMBIENT 47
|
|
|
|
#define PR_CAP_AMBIENT_RAISE 2
|
2017-10-01 11:32:07 +08:00
|
|
|
#define PR_CAP_AMBIENT_CLEAR_ALL 4
|
2017-10-09 05:00:45 +08:00
|
|
|
#endif /* !defined(PR_CAP_AMBIENT) */
|
2018-02-10 00:49:13 +08:00
|
|
|
static bool initNsKeepCaps(cap_user_data_t cap_data) {
|
2017-10-01 06:06:36 +08:00
|
|
|
/* Copy all permitted caps to the inheritable set */
|
2018-05-24 00:19:17 +08:00
|
|
|
std::string dbgmsg1;
|
2018-05-22 20:27:18 +08:00
|
|
|
for (const auto& i : capNames) {
|
|
|
|
if (getPermitted(cap_data, i.val)) {
|
2018-05-24 00:19:17 +08:00
|
|
|
util::StrAppend(&dbgmsg1, " %s", i.name);
|
2018-05-22 20:27:18 +08:00
|
|
|
setInheritable(cap_data, i.val);
|
2017-09-30 06:36:11 +08:00
|
|
|
}
|
|
|
|
}
|
2018-05-24 00:19:17 +08:00
|
|
|
LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg1.c_str());
|
2017-09-30 06:36:11 +08:00
|
|
|
|
2018-02-12 22:17:33 +08:00
|
|
|
if (!setCaps(cap_data)) {
|
2017-09-30 06:36:11 +08:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2017-10-01 06:06:36 +08:00
|
|
|
/* Make sure the inheritable set is preserved across execve via the ambient set */
|
2018-05-24 00:19:17 +08:00
|
|
|
std::string dbgmsg2;
|
2018-05-22 20:27:18 +08:00
|
|
|
for (const auto& i : capNames) {
|
|
|
|
if (!getPermitted(cap_data, i.val)) {
|
2017-09-30 06:36:11 +08:00
|
|
|
continue;
|
|
|
|
}
|
2018-05-22 20:27:18 +08:00
|
|
|
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)i.val, 0UL, 0UL) ==
|
|
|
|
-1) {
|
|
|
|
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)", i.name);
|
2017-09-30 06:36:11 +08:00
|
|
|
} else {
|
2018-05-24 00:19:17 +08:00
|
|
|
util::StrAppend(&dbgmsg2, " %s", i.name);
|
2017-09-30 06:36:11 +08:00
|
|
|
}
|
|
|
|
}
|
2018-05-24 00:19:17 +08:00
|
|
|
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg2.c_str());
|
2017-09-30 06:36:11 +08:00
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2018-02-10 22:50:12 +08:00
|
|
|
bool initNs(nsjconf_t* nsjconf) {
|
2018-02-10 00:49:13 +08:00
|
|
|
cap_user_data_t cap_data = getCaps();
|
2023-10-20 20:15:36 +08:00
|
|
|
if (cap_data == nullptr) {
|
2017-09-30 06:05:41 +08:00
|
|
|
return false;
|
|
|
|
}
|
2017-10-01 11:38:26 +08:00
|
|
|
|
2017-10-01 11:49:13 +08:00
|
|
|
/* Let's start with an empty inheritable set to avoid any mistakes */
|
2018-02-10 00:49:13 +08:00
|
|
|
clearInheritable(cap_data);
|
2017-10-01 11:38:26 +08:00
|
|
|
/*
|
2017-10-01 11:49:13 +08:00
|
|
|
* Remove all capabilities from the ambient set first. It works with newer kernel versions
|
|
|
|
* only, so don't panic() if it fails
|
2017-10-01 11:38:26 +08:00
|
|
|
*/
|
|
|
|
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0UL, 0UL, 0UL) == -1) {
|
|
|
|
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL)");
|
|
|
|
}
|
2017-07-05 19:03:14 +08:00
|
|
|
|
2017-09-30 06:36:11 +08:00
|
|
|
if (nsjconf->keep_caps) {
|
2018-02-10 00:49:13 +08:00
|
|
|
return initNsKeepCaps(cap_data);
|
2017-09-30 06:36:11 +08:00
|
|
|
}
|
|
|
|
|
2017-10-17 21:22:23 +08:00
|
|
|
/* Set all requested caps in the inheritable set if these are present in the permitted set
|
|
|
|
*/
|
2018-02-17 00:03:05 +08:00
|
|
|
std::string dbgmsg;
|
2018-02-10 05:35:33 +08:00
|
|
|
for (const auto& cap : nsjconf->caps) {
|
2018-02-12 22:17:33 +08:00
|
|
|
if (!getPermitted(cap_data, cap)) {
|
2018-02-11 04:19:47 +08:00
|
|
|
LOG_W("Capability %s is not permitted in the namespace",
|
|
|
|
capToStr(cap).c_str());
|
2017-09-30 06:36:11 +08:00
|
|
|
return false;
|
2017-07-05 19:03:14 +08:00
|
|
|
}
|
2018-02-17 00:03:05 +08:00
|
|
|
dbgmsg.append(" ").append(capToStr(cap));
|
2018-02-10 05:35:33 +08:00
|
|
|
setInheritable(cap_data, cap);
|
2017-07-05 19:03:14 +08:00
|
|
|
}
|
2018-02-17 00:03:05 +08:00
|
|
|
LOG_D("Adding the following capabilities to the inheritable set:%s", dbgmsg.c_str());
|
2017-07-06 20:55:27 +08:00
|
|
|
|
2018-02-12 22:17:33 +08:00
|
|
|
if (!setCaps(cap_data)) {
|
2017-10-01 11:32:07 +08:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2017-10-01 06:06:36 +08:00
|
|
|
/*
|
|
|
|
* Make sure all other caps (those which were not explicitly requested) are removed from the
|
2017-10-01 11:49:13 +08:00
|
|
|
* bounding set. We need to have CAP_SETPCAP to do that now
|
2017-10-01 06:06:36 +08:00
|
|
|
*/
|
2018-02-17 00:03:05 +08:00
|
|
|
dbgmsg.clear();
|
2018-02-10 00:49:13 +08:00
|
|
|
if (getEffective(cap_data, CAP_SETPCAP)) {
|
2018-05-22 20:27:18 +08:00
|
|
|
for (const auto& i : capNames) {
|
|
|
|
if (getInheritable(cap_data, i.val)) {
|
2017-10-01 11:32:07 +08:00
|
|
|
continue;
|
|
|
|
}
|
2021-02-02 06:22:43 +08:00
|
|
|
if (prctl(PR_CAPBSET_READ, (unsigned long)i.val, 0UL, 0UL, 0UL) == -1 &&
|
|
|
|
errno == EINVAL) {
|
2021-01-28 16:47:31 +08:00
|
|
|
LOG_D("Skipping unsupported capability: %s", i.name);
|
2021-01-27 21:37:12 +08:00
|
|
|
continue;
|
|
|
|
}
|
2018-05-22 20:27:18 +08:00
|
|
|
dbgmsg.append(" ").append(i.name);
|
|
|
|
if (prctl(PR_CAPBSET_DROP, (unsigned long)i.val, 0UL, 0UL, 0UL) == -1) {
|
|
|
|
PLOG_W("prctl(PR_CAPBSET_DROP, %s)", i.name);
|
2017-10-01 11:32:07 +08:00
|
|
|
return false;
|
|
|
|
}
|
2017-07-06 20:55:27 +08:00
|
|
|
}
|
2018-02-17 00:03:05 +08:00
|
|
|
LOG_D(
|
|
|
|
"Dropped the following capabilities from the bounding set:%s", dbgmsg.c_str());
|
2017-10-01 11:16:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Make sure inheritable set is preserved across execve via the modified ambient set */
|
2018-02-17 00:03:05 +08:00
|
|
|
dbgmsg.clear();
|
2018-02-10 05:35:33 +08:00
|
|
|
for (const auto& cap : nsjconf->caps) {
|
|
|
|
if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, (unsigned long)cap, 0UL, 0UL) ==
|
2017-10-26 06:26:02 +08:00
|
|
|
-1) {
|
2018-02-11 04:19:47 +08:00
|
|
|
PLOG_W("prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, %s)",
|
|
|
|
capToStr(cap).c_str());
|
2017-10-01 11:16:01 +08:00
|
|
|
} else {
|
2018-02-17 00:03:05 +08:00
|
|
|
dbgmsg.append(" ").append(capToStr(cap));
|
2017-10-01 11:16:01 +08:00
|
|
|
}
|
|
|
|
}
|
2018-02-17 00:03:05 +08:00
|
|
|
LOG_D("Added the following capabilities to the ambient set:%s", dbgmsg.c_str());
|
2017-10-01 11:16:01 +08:00
|
|
|
|
2017-07-05 19:03:14 +08:00
|
|
|
return true;
|
|
|
|
}
|
2018-02-10 00:49:13 +08:00
|
|
|
|
|
|
|
} // namespace caps
|